Microsoft Defender Weekly Wrap - Issue #51
Happy Friday all!
I'm just a couple days away from my next big trip, so this past week has been all about session prep and getting the travel ducks all in a row. And that actually means making sure all my charging cables are packed and I have some movies and books downloaded to watch and read on the plane ride.
I'll be in Orlando, Florida all next week for TechMentor/Live!360. Thankfully, my trip will be just after the most recent tropical storm subsides. The weather forecast for next week looks phenomenal.
If you remember from earlier this year, I was at the TechMentor event in Redmond on the Microsoft campus. This is an extension of that event. If you're reading this and you happen to also be there next week, come find me. It would be great to shake hands. Also, if you happen to have a physical copy of the Must Learn KQL book, bring it along. I'll be happy to sign in. And, if you don't have a copy and want one, I'll have a stack of signed books to give away during my sessions.
...
This week, we'd love if you could participate in the following survey to help us continue to build a better product.
Pull Request Annotations in Defender for DevOps
Our Defender for DevOps team would like your feedback on the Pull Request annotations feature.
Defender for DevOps exposes security findings as annotations in Pull Requests (PR). Security operators can enable PR annotations in Microsoft Defender for Cloud. Any exposed issues can then be remedied by developers. This process can prevent and fix potential security vulnerabilities and misconfigurations before they enter the production stage. Defender for DevOps annotates the vulnerabilities within the differences in the file rather than all the vulnerabilities detected across the entire file. Developers are able to see annotations in their source code management systems and Security operators can see any unresolved findings in Microsoft Defender for Cloud.
Survey link: https://rodtrent.com/9by
...
Speaking of Must Learn KQL, the seasonal holiday editions of everything in the merch store are now available. And there's new stuff, too. Here's what's available:
[1] The ever-popular holiday coffee cup is back for the season! https://rodtrent.com/e89
[2] There's a seasonal KQL song! Yes, a song. And it's brandished on three different styles of long sleeve t-shirt:
Style 1: https://rodtrent.com/ndo
Style 2: https://rodtrent.com/fsa
Style 3: https://rodtrent.com/z45
[3] And, then there's my new absolute favorite (I'll be wearing this at TechMentor next week!), the KQL'Ling t-shirt: https://rodtrent.com/dyz
As always, all profit from the Must Learn KQL merch sales goes directly to St. Jude Children's Research Hospital. So, you can feel good about getting yourself something (and your geeky loved ones) and helping others at the same time.
...
That's it from me for this week.
Talk soon.
-Rod
Things that are Related
Webbrowser-based phishing technique — www.amestofortytwo.com Phishing is one of the most dangerous and ugliest types of attacks out there, because it is based on human interaction, naiveness and error.
Listen to Episode 1 – What's new in Cloud Security from Microsoft Ignite 2022 by Atos in Head Securely in the Clouds playlist online for free on SoundCloud — soundcloud.com First episode of Head Securely in the Clouds, hosted by Dwayne Natwick, Global Security Lead for Atos, is here! Our first guests are Shannon Kuehn, Senior Product Manager at Microsoft, and Rod Trent, Senior Cloud Security Advocate at Microsoft.
Things in Techcommunity
Documenting portal configuration settings - Microsoft Community Hub — techcommunity.microsoft.com Does anyone have any suggestions about how to document the MDC portal configuration settings, i.e, create a report that show which subscriptions, plans
2 factor for allowing unsigned apps to be installed? - Microsoft Community Hub — techcommunity.microsoft.com Hi everyone, I'm just looking for your ideas on dealing with unsigned applications. We can't trust EDR/AV to do everything and yet there are times we want
MDE unified solution for servers - Microsoft Community Hub — techcommunity.microsoft.com Hi All, I’m looking into Microsoft Defender for Endpoint’s unified agent integration with Defender for servers. The enable button for the Defender for
Things in the News
Microsoft Defender Experts for Hunting demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations for Managed Services — www.microsoft.com Microsoft Defender Experts for Hunting, our newest managed threat hunting service, delivered industry-leading results during the inaugural MITRE Engenuity ATT&CK® Evaluations for Managed Services.
Defender for Cloud Things
VIDEO: Demystifying Microsoft Defender for Servers — www.youtube.com Tuesday, November 8, 2022, 11:00 AM ET / 8:00 AM PT (webinar recording date) Microsoft Defender for Cloud Webinar | Demystifying Microsoft Defender for Serve...
VIDEO: New Contextual CSPM a Context-Aware Security Intelligence — www.youtube.com Thursday, November 10, 2022, 11:00 AM ET / 8:00 AM PT (webinar recording date) Microsoft Defender for Cloud Webinar | New Contextual CSPM a Context-Aware Sec...
VIDEO: Cloud security explorer and Attack path analysis | Defender for Cloud in the Field #20 — www.youtube.com In this episode of Defender for Cloud in the Field, Tal Rosler joins Yuri Diogenes to talk about Cloud security explorer and Attack path analysis, two new ca...
DOCS: Connect your GCP project to Microsoft Defender for Cloud | Microsoft Learn — learn.microsoft.com Monitoring your GCP resources from Microsoft Defender for Cloud
Defender for Endpoint Things
BLOG: Defender for Endpoint - Implementing ASR Rules — blog.nathanmcnulty.com To get started, we will create a policy to set all Attack Surface Reduction rules to Audit mode to ensure applications are not impacted. This allows us to gather telemetry data for any applications that might be affected by these rules. Data should be collected for 30 days first, and then exclusions can be made for any legitimate applications that we want to allow. Creating exclusions too early reduces visibility for the scope of impact across all devices. For this article, I will use Intune's Endpoint security profile, but the doc below details all available options.
BLOG: Microsoft Defender for Endpoint series – Attack Surface reduction and additional protection – Part4B  — jeffreyappel.nl It is time for part 4B of the ultimate Microsoft Defender for Endpoint (MDE) series. Part 4A explains the AV policy baseline. Now it is time for some more detailed information for the Attack Surface reduction and additional protection layers of Defender for Endpoint and Defender AV.
BLOG: Initial Access - Attacking and Defending MDE — misconfig.io Roses are red, Violets are blue, and if initial access has been successfully done, your network is probably gone.
BLOG: Intune app protection: Migrating between Mobile Threat Defense solutions - Microsoft Community Hub — techcommunity.microsoft.com Intune can integrate data from Mobile Threat Defense (MTD) solutions such as Microsoft Defender for Endpoint and other non-Microsoft MTD partners as an
Defender for IoT Things
BLOG: How to setup a PoC for Defender for IoT Part I — flanallity.com In this second blog I will explain how you can setup a PoC for Defender for IoT. I built this set up for my home situation and it was a little bit surprising how many internet enabled devices I already have in my tiny house.Â
BLOG: Section 52 Releases an Open Source Forensics Tool for Siemens PLCs - Microsoft Community Hub — techcommunity.microsoft.com The tool can be found here: https://github.com/microsoft/ics-forensics-tools Attacks on PLCs have become more common and complex from the Stuxnet worm in
BLOG: Highlighting IoT/OT Security in the 2022 Microsoft Digital Defense Report - Microsoft Community Hub — techcommunity.microsoft.com Following the release of the 2022 Microsoft Digital Defense Report , Microsoft Defender for IoT is proud to share our contributions and insights with our
365 Defender Things
BLOG: Announcing Software Usage Insights in public preview - Microsoft Community Hub — techcommunity.microsoft.com We are excited to announce the release of Software Usage Insights within Microsoft Defender Vulnerability Management. Starting today, organizations who
BLOG: Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender — techcommunity.microsoft.com Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender
Defender for Business Things
BLOG: Server security made simple for small businesses — techcommunity.microsoft.com Server security now available within Microsoft Defender for Business with new add-on license.
Microsoft Entra Things
PODCAST: Onboarding internal Microsoft Subscriptions to Entra Permissions Management | The Microsoft 425Show — 425show.simplecast.com We chatted with Ryan McDonald and Dylan Blasi about Microsoft's adoption of Entra Permissions Management.
BLOG: Embrace and Secure Multicloud with Entra Permissions Management - Microsoft Community Hub — techcommunity.microsoft.com Today, we’ve seen the majority of organizations embrace a multicloud deployment strategy for their applications and workloads in the cloud. Consequently,
BLOG: Making it easier to apply and manage security settings for your users in Microsoft 365 - Microsoft Community Hub — techcommunity.microsoft.com The Microsoft 365 commercial support team resolves customer support cases and provides support to help you be successful and realize the full potential
Defender Threat Intelligence Things
BLOG: Defender TI Empowers Organizations to Get More Done With Less — techcommunity.microsoft.com A recent peer-reviewed commentary published by the Sans Institute explores the critical role of cyber threat intelligence in attack surface management. Here's how Microsoft Defender Threat Intelligence enables effective security programs.